GDPR & Data Protection Procedure

This document has been produced to provide instruction for all Pleavin Power Ltd interested parties in ensuring compliance with the UK General Data Protection Regulation (UK GDPR)/Data Protection Act 2018 and the General Data Protection Regulation (GDPR 2016/679)

The Collection of Personal Data

Pleavin Power Ltd collects and processes personal data to facilitate the running of its business. This processing does not involve the processing of Special Categories of personal data.

The Information we hold

Pleavin Power Ltd has documented all information we hold representing any type of personal information, including pseudonyms, where we obtain it, why we hold it, who we share this with, and the measures we take to protect this information. This information can be found within our GDPR Risk Assessment & Information Asset Register.

A controller determines the purposes and means of processing personal data. Under UK GDPR a processor, is required to maintain records of personal data and processing activities. We have characterised the information that we hold and process in the categories below:

Compliance with a legal obligation

Such as: Employment records, accident reports for health & safety records, etc

Contractual performance

Recognition of the very foundation of conducting business operations – Such as: if it is necessary for entering into a new contract or working under an existing contract with the data subject, then data processing is permitted. Or: when the data subject initiates activities with the data controller, in which case processing is permitted even before entering a contract. This is the case with pre-contractual relations (preparing or negotiating before entering into a contract), where the initiation of processing steps is taken at the request of the data subject, rather than being initiated by the controller. In cases where a contract is not yet existent, such as when an individual requests information from a service provider about a particular service via e-mail or social network, the processing of that individual’s personal data is permitted for the purposes of responding to the inquiry.

Vital interests

In situations not covered by a specific law, and in the absence of a contract, processing is permitted if it is necessary in order to protect the vital interests of the data subject. These would usually apply only to life-or-death situations.

Public interest or acting under official public authority

When performance of a task carried out in the public interest, or the exercise of an official authority vested in the controller require processing of personal data. Such as processing that political parties might be allowed to manage a copy of the electoral register.

Legitimate interests

Perhaps the most ambiguous legal basis for processing is the principle of “legitimate interests” it provides the possibility to develop a justification for processing data that does not fall into the above legal models. This justification will allow data to be processed while avoiding the management of data subjects’ consent. It can apply to both the data controller and the third party to whom the data will be disclosed.

Such as: certain client or service relationships between the data subject and the controller, It also includes processes for preventing fraud, as well as transmitting personal data within the data controller’s undertakings or institutions affiliated with a central body for internal administrative purposes. This can include the processing of clients’ or employees’ personal data.

Data subjects’ consent

Finally, for scenarios not fitting into any of the above categories, data controllers are left with the last resort: obtaining permission for processing personal data.

Risk Assessments

We have assessed risks associated with Data protection and GDPR compliance, this information can be viewed within the GDPR Risk Assessment & Information Asset Register.

Policy & Awareness

We have a documented Privacy Policy that is available to and communicated to relevant interested parties. In respect to ensuring awareness we:

Our Corporate Social Responsibility Policy is issued to interested parties and contains reference to data protection.
We also maintain a Cyber Security Policy, and provide our personnel with guidance on security and safe IT use within our Company Handbook to minimise potential of hacking/cyber-attack or loss of personal data through error or misuse of company computers or electronic software.

Safety of Information

Information held in confidence about a person must not be disclosed to third parties unless: • The person that the information is about has consented or

There is a statutory basis for disclosure or court order or
There is a public interest justification for disclosure or
There is another basis in law for disclosure

Processing Information

Pleavin Power Ltd will ensure that a responsible DPO is assigned to control and manage Data Processing; the responsibilities of the DPO will be to ensure that:

All data is processed in a lawful, fair, and transparent manner
All data is recorded accurately, and that data held is:
- Relevant
- Stored securely
- Protected from damage and unauthorised access
- Is up to date
- Is retrievable where a personal request for information is made.
- Is only kept for the period required by retention law and guidelines. (Document Retention periods can be found in our Documented Information & Record Keeping Procedure)

Where consent for processing is required

In cases of data identified on the Information Asset Register that requires consent for processing. Consent must be obtained in written form from the party, prior to processing this information. If consent cannot be obtained Pleavin Power Ltd will be required to make reasonable adjustments to accommodate this.

For employee biometric consent: There is currently a form for obtaining consent for this requirement, called Biometric Data – Employee Consent Form
For employee marketing information consent: There is currently a form for obtaining consent for this requirement, called Marketing Data– Employee Consent Form
For customer consent to use information for marketing and case study purposes our New Customer Questionnaire can be used to obtain written consent.

Data Process

Data is received from source
Data is saved/filed under relevant secure conditions
Where changes are made by the source, as appropriate, a review of the shared sources will be undertaken, and corrections issued to shared parties.
Reviews are undertaken of:
The current personal data stored
Accuracy of the data
Review whether the data is still relevant
The retention periods- ensure responsible and irretrievable disposal of records where retention periods have lapsed.
The current methods for protection of data to include risk assessments
The current consents for data sharing
Improvements made to the system will be documented as part of the annual review process.

Personal Information Requests

Personal Information Request’s must be handled by the receiver with support from the DPO.
On receipt, the receiver of this request will establish if the PIR has been received from a genuine source with authorisation from the individual who’s information is under request. This may be by contacting the originator or the individual directly.

Within 5 working days of the receipt of a Personal Information Request, the DPO must assess whether the request:

Is justified in accordance with the requirements of the Data Protection Act 2018, the UK GDPR.
Is not unfounded or excessive
Can be completed within one month of the date on which the Personal Information Request was received
- If the receiver of this PIR is in any doubt as to how to complete these assessments or has doubts over the validity/accuracy of the results, then they must obtain advice from a Data Protection Officer (DPO) or a legal professional with experience in UK laws relating to Personal Information.
- The actions required to execute approved Personal Information Requests must be completed as soon as is practically possible and as a minimum within 10 working days.
- The actions undertaken to fulfil all Personal Information Requests must fully meet the details of a request
- The assessment results of Personal Information Requests must be communicated to the individuals who submitted them within 1 month of the date on which the Personal Information Request was received.

What action must be taken in the case of a Data Protection Breach

1) The identifier must immediately report the breach to the Directors/ Data Protection Officer: DPO is Mr Jack Pleavin

2) The DPO must assess the scope and impact of the personal data breach by:

Ascertaining that personal data was breached.
Estimating the number of data subjects whose personal data was possibly breached. • Determining the possible types of personal data that were breached.
List security measures that were already in place to prevent the breach from happening.

3) Notify the relevant parties:

For a reportable breach, notification/reporting of the personal data breach, must be made within 72 hours by the DPO to the Data Protection Authority/Information Commissioners Office (ICO).

If the risk to the rights and freedoms of data subjects is high, the data subjects should also be informed.

4) Mitigate and Prevent further breaches

Take all possible measures to reduce the risk and contain further unauthorised access • Continue to refine the original estimate of the number of data subjects breached and the types of personal data that were breached
Keep the DPO updated on the current situation.

5) Review and monitor: Once the personal data breach has been contained, the company must conduct a review of existing measures in place and explore the possible ways in which these measures can be strengthened to prevent a similar breach from reoccurring. All such identified measures should be monitored to ensure that the measures are satisfactorily implemented.

Breaches will be reported as a CCIL report for inclusion to the company’s Management system processes.